top | item 46550599

(no title)

morgan814 | 1 month ago

Not all too long ago I had someone port out my VOIP number. They had it for a few hours. This was after I had spent extensive effort attempting to secure my digital life. VOIP was SIM-swap resistant sure, but I totally missed that port out requests default to failing open.

Thankfully the VOIP operator alerted me and pulled the number back. Then I set a port out code.

Who knows how many other holes I have. I lost my sense of smugness that day.

discuss

sneak|1 month ago

Using SMS 2FA has been explicitly deprecated for years. It’s insecure for this and a million other reasons.

TOTP is also trivially phishable.

I still have my sense of smugness because I use SOTA 2fa.

embedding-shape|1 month ago

I wish banks would get this memo. Not only is one of my banks enforcing a maximum password length of 6 NUMBERS (no letters/special characters allowed), but also that high-value transfers are only confirmed via SMS 2FA, even though their own banking app also have a separate 2FA thing that doesn't go through SMS, but it's only used for "low-value" actions...

morgan814|1 month ago

> I still have my sense of smugness

Crappy SMS 2FA or not. Losing your number is a huge pain. Because phone numbers are treated as identity, it also allows the person who took your number to impersonate you by calling into $X service. At least in America.

Thorrez|1 month ago

TOTP is not SOTA 2FA. WebAuthn is SOTA 2FA. TOTP can be phished. WebAuthn cannot.